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DETAILED ACTION 

Terminal Disclaimer 

The terminal disclaimer filed on 20 October 2008 disclaiming the terminal portion of any 
patent granted on this application which would extend beyond the expiration dates of the full 
statutory term of the patent granted on pending reference Application Number 1 0/661 ,903 has 
been reviewed and is accepted. The terminal disclaimer has been recorded. 

Examiner's Amendment 

An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this Examiner's Amendment was given in a telephone interview with 
Holmes W. Handerson (Reg. No. 37,272) on 19 November 2008. 

This application has been amended as follows: 
IN THE CLAIMS 

Cancel claim 2, 3, 5, 13, 14, 16 - 22, 24, 25 and 27 - 30. 
Replace claim 1, 12 and 23 as follows. 
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Claim 1: 

A method of securing packet data transferred over a backbone, the backbone operating 
according to a routing protocol, the method comprising the steps of: 

receiving a packet from any one of a plurality of members of a private network, the 
packet being sent from only one member to only one other member of the private network, the 
packet including a private network address comprising a source address and a destination 
address, the packet further including a payload; and 

in response to determining that the packet must be transmitted over the backbone in 
order to reach the destination address: 

apportioning the packet into a first portion and a second portion, wherein the first portion 
includes fields of the packet used for transmission of the packet according to the protocol of the 
backbone including the private network address and the second portion includes the payload; 

appending a gateway source address associated with the source address of the packet 
to the second portion to generate a group header and transforming the second portion of the 
packet according to a group security association associated with a plurality of members of the 
private network to provide a transformed portion which includes a transformed group header, 
where at least one member of the private network with which the group security association is 
associated is neither sender nor recipient of the packet to enable the use of a same group 
security association for a different non-group point-to-point connection at a trusted client edge 
device ; 

appending the first portion of the packet to the transformed portion to provide a 
transformed packet; and 

transmitting the transformed packet to the backbone using the private network address. 
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Claim 12: 

A method for securing a communication link between two members of a private network, 
the communication link for transporting a packet having a first header and a payload, the first 
header comprising a private network address identifying a source address and a destination 
address packet, the method including the steps of: 

distributing a group security association to each of the at least three members of the 
private network; 

transforming each packet transferred between only two of the at least three members of 
the private network in response to determining that the packet must be transmitted over a 
backbone, the step of transforming including the steps of: 

generating a second header, the second header including a gateway source address 
associated with the source address in the first header, and a destination address identifying the 
private network; 

replacing the first header of the packet with the generated second header to provide a 
modified packet; 

applying the group security association to the modified packet to provide a secure 
packet including applying the security association to the gateway source address; and 
appending the first header to the secure packet to provide a transformed packet; 

and 

forwarding the transformed packet over the communication link using the private network 
address, 

whereby at least one member of the private network with which the group security 
association is associated is neither sender nor recipient of the packet to enable the use of a 
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same group security association for a different non-group point-to-point connection at a trusted 
client edge device - 



Claim 23: 

An apparatus at a node for transforming packets for forwarding between only two 
members of a plurality of members of a group that includes more than two members 
communicating on a scalable private network over a backbone, each of the plurality of group 
members communicating with the backbone via respective gateways, wherein the backbone 
operates according to a protocol, the apparatus comprising: 

physical memory circuitry including a key table, the key table including a security 
association for each group for which the node is a member; 

a microprocessor that executes transform logic comprising means for modifying packets 
received from only one source member of the group for transfer to only one destination member 
of the group on a private network over the backbone by: 

extracting a private network address header from a received packet, the private network 
address header including a source and destination address; 

appending, to the received packet, a group header including a group identifier 
associated with the private network and a gateway address associated with a source member; 

the received packet including the group header to provide a modified packet; 

appending the private network address header to the modified packet to provide a 
transformed packet, where only information in the transformed packet that enables 
communication over the backbone is unsecured; and 
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forwarding logic for forwarding communication between members of the group using a 
private network address associated with the group, 

whereby at least one member of the private network with which the group security 
association is associated is neither sender nor recipient of the packet to enable the use of a 
same group security association for a different non-group point-to-point connection at a trusted 
client edge device . 



Allowable Subject Matter 

Claims 1, 4, 6 - 12, 15, 23 and 26 are allowed. 

The following is an examiner's statement of reasons for allowance: 
The above mentioned claims are allowable over prior arts because the CPA (Cited Prior Art) of 
record fails to teach or render obvious the claimed limitations in combination with the specific 
added limitations recited in claims 1, 12 and 23 (& associated dependent claims). 

The present invention is directed to a method of securing packet data transferred over a 
backbone, the backbone operating according to a routing protocol. No singular art disclosing, 
nor motivation to combine has been found to anticipate or render obvious the claimed invention 
of appending a gateway source address associated with the source address of the packet to the 
second portion to generate a group header and transforming the second portion of the packet 
according to a group security association associated with a plurality of members of the private 
network to provide a transformed portion which includes a transformed group header, where at 
least one member of the private network with which the group security association is associated 
is neither sender nor recipient of the packet to enable the use of same group security 
association for a different non-group point-to-point connection at a trusted client edge device . 
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Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the 
issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons 
for Allowance." 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Longbit Chai whose telephone number is 571-272-3788. The examiner 
can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Longbit Chai/ 

Primary Patent Examiner 
Art Unit 2431 
11/19/2008 



